Https is divided into one-way authentication and two-way authentication
One-way authentication form: website URL link is in https://xxx.com format
Two-way authentication expresses concerns: the website URL link is in https://xxx.com format, and the client browser needs to install a client.pfx format certificate file to open the website
Requirement description: It is assumed that the local environment newdefend.com domain name two-way authentication needs to be implemented. One-way authentication, just ignore the operation steps in the yellow background in this article. There is also no need to generate and install a client certificate: client.pfx
Reference URL: http://blog.163.com/hr_php/blog/static/235853083201503011428985/
Installation environment: Wampserver integrated installation package; window7 system.
The first step: cmd enters the bin directory of apache. eg:D:\wamp5.3\bin\apache\Apache2.2.21\bin
specify the configuration file
set OPENSSL_CONF=../conf/openssl.cnf
Configuration reference:
dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. # several ctificates with same subject. new_certs_dir = $ dir / newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file
Create some new directories and files. The reason for creating the directory: Since these directories or files will be used in the configuration file openssl.cnf, these directories and files will be operated when the following commands are continued.
Create the following folders in the apache/ bin directory demoCA/newcerts/ demoCA/private/ Create the following files demoCA/index.txt demoCA /serial // The content can be written with 2 (0-9, AF) characters, such as 1A
Step 2: Generate the required private key key
openssl genrsa > root.key // Generate root key
openssl genrsa > server.key // Generate server key
openssl genrsa > client.key // generate client key
Step 3: Generate a self-signed root certificate
openssl req -x509 -new -key root.key >root.crt
Description: -new generates a new file -key filename The parameter filename specifies our private key filename -x509 will generate a self-signed certificate, which is generally used for testing, or to be a Root CA by yourself. The extension of the certificate is in config file specified
Step 4: Generate the server and the client to sign the request file.
openssl req -new -key server.key -out server.csr
openssl req -new -key client.key -out client.csr //There may be error messages here, please see the error solutions below
Description: Enter a series of parameters CN - SH - SH - '' - '' - domain name/IP as prompted. In addition to filling in the domain name/ip in Common Name, special attention should be paid to filling in "China CN Shanghai SH" in the country. The rest can be empty
Country Name ( 2 letter code) [AU]: CNISO country code (only two characters are supported) State or Province Name (full name) [Some - State]: The province where ZJ is located Locality Name (eg, city) []: The city where HZ is located Organization Name (eg, company): THS company name Organizational Unit Name (eg, section) []:THS organization name Common Name (eg, YOUR name) []:localhost (domain name or IP address to apply for the certificate) Email Address []:[email protected] Email Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: exchange key An optional company name []:
Hint: Error solution (appears in the pile of files created at the beginning)
//Error prompt
Sign the certificate? [y/ n]:y failed to update database TXT_DB error number 2 // The reason is: This thing happens when certificates share common data. You cannot have two certificates that look otherwise the same. // Solution // Method 1: Modify index.txt.attr under demoCA unique_subject = yes is unique_subject = no // Method 2: Delete the content in index.txt under demoCA // Method 3: Set the common name to a different
Step 5: Sign the server and client with the root certificate
openssl ca -in server.csr -cert root.crt -keyfile root.key -out server.crt openssl ca -in client.csr -cert root.crt -keyfile root.key -out client.crt
Description: -in filename the csr file to be signed -cert CA's own certificate filename -keyfile CA's own private key file -out filename the signed certificate filename. The details of the certificate will also be written in
Step 6: Configure openssl.cnf, create a file path, and generate the required cakey.pem (CA's key file) and cacert.pem (CA's crt file) files
openssl genrsa -out demoCA/private/cakey.pem 2048 openssl req -out demoCA/cacert.pem -x509 -new -key demoCA/private/cakey.pem
Step 7: Convert the client certificate to pfx format. After generation, double-click the file to install it in the browser (important)
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
Note: The password filled in at this time is the password that the customer needs to fill in when installing the certificate. Password can be empty
At this point, the certificate files related to openssl are over.
Step 8: Configure the apache directory httpd.conf file
LoadModule sslmodule modules/modssl.so
Include conf/extra/httpd-ssl.conf
Step 9: Configure httpd-ssl.conf. Note: If there are multiple sites under apache, also configure http-vhosts.conf
SSLSessionCache "shmcb:D:/wamp/bin/apache/apache2.4.9/logs/ssl_scache(512000)" <VirtualHost _default_:443> DocumentRoot "D:/wamp/www" ServerName localhost SSLEngine on SSLCertificateFile "D:/wamp/bin/apache/apache2.4.9/bin/server.crt" SSLCertificateKeyFile "D:/wamp/bin/apache/apache2.4.9/bin/server.key" # If it is one-way authentication, comment out the following 3 lines of SSLCACertificateFile " D:/wamp/bin/apache/apache2.4.9/bin/root.crt " SSLVerifyClient require SSLVerifyDepth 1
CustomLog "D:/wamp/bin/apache/apache2.4.9/logs/ssl_request.log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
http-vhosts.conf
<VirtualHost *:80> DocumentRoot "D:/wamp/www/www.newdefend.com" ServerName my.newdefend.com </VirtualHost> <VirtualHost *:443> DocumentRoot "D:/wamp/www/www.newdefend.com" ServerName my.newdefend.com ErrorLog "D:/wamp/www/logs/error.log" TransferLog "D:/wamp/www/logs/access.log" SSLEngine on SSLCertificateFile " D:/wamp/bin/apache/apache2.4.9/bin/server.crt " SSLCertificateKeyFile " D:/wamp/bin/apache/apache2.4.9/bin/server.key " # If it is one-way authentication, the following 3 lines commented out
SSLCACertificateFile "D:/wamp/bin/apache/apache2.4.9/bin/root.crt" SSLVerifyClient require SSLVerifyDepth 10 </VirtualHost>
restart wamp
Two-way authentication effect display:
The following figure shows: the client.pfx file has not been installed on the computer, please double-click to install
The following figure shows: client.pfx has been installed, when the client is opened, you need to select the certificate
The figure below indicates: success, you can directly access it. Because it is a locally generated certificate, it is not trusted by browsers. When it is really online, it will not happen if you find an authoritative CA agency.
Finally: Check which certificates have been installed on your computer, please refer to: https://jingyan.baidu.com/article/c275f6baf8622ae33d756794.html
The effect is shown as follows: 192.168.184.53 is the certificate I generated myself
--------